Ignore:
Timestamp:
Jan 21, 2020, 11:36:05 AM (5 years ago)
Author:
Tadeu Zagallo
Message:

JSTests:
Object allocation sinking is missing PutHint for allocations unreachable in the graph
https://bugs.webkit.org/show_bug.cgi?id=203799
<rdar://problem/56852162>

Reviewed by Saam Barati.

  • stress/allocation-sinking-puthint-control-flow-2.js: Added.

(f.handler.construct):
(f):

Source/JavaScriptCore:
Object allocation sinking is missing PutHint for sunken allocations
https://bugs.webkit.org/show_bug.cgi?id=203799
<rdar://problem/56852162>

Reviewed by Saam Barati.

Consider the following graph:

Block #0:

1: PhantomCreateActivation()
2: PhantomNewFunction()
PutHint(@2, @1, FunctionActivationPLoc)
Branch(#1, #2)

Block #1:

3: MaterializeCreateActivation()
PutHint(@2, @3, FunctionActivationPLoc)
Upsilon(@3, 5)
Jump(#3)

Block #2:

4: MaterializeCreateActivation()
PutHint(@2, @4, FunctionActivationPLoc)
Upsilon(@4, 5)
Jump(#3)

Block #3:

5: Phi()
ExitOK()

On Block #3, we need to emit a PutHint after the Phi, since we might exit after it. However,
object allocation sinking skipped this Phi because it was checking whether the base of the
location that caused us to create this Phi (@2) was live, but it's dead in the graph (there
are no pointers to it). The issue is that, even though there are no pointers to the base, the
location PromotedHeapLocation(@2, FunctionActivationPLoc) is still live, so we should PutHint
to it. We fix it by checking for liveness of the location rather than its base.

  • dfg/DFGObjectAllocationSinkingPhase.cpp:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

    r254735 r254866  
    411411        const Allocation& base = m_allocations.find(location.base())->value;
    412412        auto iter = base.fields().find(location.descriptor());
    413 
    414413        if (iter == base.fields().end())
    415414            return nullptr;
     
    437436
    438437        return &getAllocation(identifier);
     438    }
     439
     440    bool isUnescapedAllocation(Node* identifier) const
     441    {
     442        auto iter = m_allocations.find(identifier);
     443        return iter != m_allocations.end() && !iter->value.isEscapedAllocation();
    439444    }
    440445
     
    19471952
    19481953                for (PromotedHeapLocation location : hintsForPhi[variable->index()]) {
    1949                     if (m_heap.onlyLocalAllocation(location.base())) {
     1954                    if (m_heap.isUnescapedAllocation(location.base())) {
    19501955                        m_insertionSet.insert(0,
    19511956                            location.createHint(m_graph, block->at(0)->origin.withInvalidExit(), phiDef->value()));
Note: See TracChangeset for help on using the changeset viewer.